If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Netbus, what would you do.

Hi Guys,
thought i'd post this i would like to get an over view of what you people here at AO would do.

I'm running a fire wall which has recently recorded a couple of inbound tcp connection attemps.
Using tds3 i did an interigation of the recorded ip address and found that netbus was running on port 12345. Within tds3 you have a tcp connect utility, so i made a connection to port 12345 on the remote machine this showed me netbus 1.7x password protected. Now within tds3 you have the ability to disinfect the remote machine. However that would require nowing the password.

The question i would like to ask is what people here would do with this information, crack the password and disinfect, report to the network abuse department ? whatever?

Is this a home computer or one at work? Either way I would simply disconnect the system from the network and "clean" it. If you really must get the password then run a packet sniffer watching that particular port and IP. WHo ever installed it is bound to log into it.

If this machine isn't yours... which I think it isn't (because you're seeing it inbound) I'd send an email to the admin of whoevers network of the attacking machine and notify the of the time, date, ip and activity. Sometimes emails go ignored... so a phone call would also work... if you don't mind paying tolls. You can do a whois on the network and find out if they have a toll free number for you to call too.

It is possible that the user of the infected machine doesn't even know he has it on there... Or it could be some s.kiddie too. I've never used netbus... so I'm not sure of how the trojan works. (wheather there is a client/server in one, or if the client/server are separate.)

I would not try to crack the password because you would be doing just as much trouble as the other person is. I'm not sure about your laws... but I know several places have "hack back" laws that prohibit this type of activity.

Just be happy that your firewall is blocking it and he isn't going to get your network. Report them with the usual info, and let the ISP take care of it... (notifying the user, monitoring for suspicious activity, etc.)

If I am reading this right, you have tracked back the computer that was scanning you for netbus. If that is the case, you have the IP address. Armed with that info., I think it's best you stay out of trouble, don't try a 'hack-back' by cracking the password. With the IP address, determine his/her ISP. Bundle up all the evidence you have (logs, etc.) of the attack/scan and send it to the abuse@isp.com.

Originally posted here by DjM If I am reading this right, you have tracked back the computer that was scanning you for netbus. If that is the case, you have the IP address. Armed with that info., I think it's best you stay out of trouble, don't try a 'hack-back' by cracking the password. With the IP address, determine his/her ISP. Bundle up all the evidence you have (logs, etc.) of the attack/scan and send it to the abuse@isp.com.

This is the smart way to go, it is the legal course of action.

Cheers:

The attacker could also be scanning from another comprimised machine, and not his own so this will not always catch your attacker.

N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

The attacker could also be scanning from another comprimised machine, and not his own so this will not always catch your attacker.

Right, so if you did decide to crack their password you could invite more problems.

Not only did you break into their computer... can you prove that you didn't put it there?

What if that person reports you, and your ISP suspends you account? Then you have to go looking for another ISP.

At least reporting it to the ISP will give them a chance to find out what is going on. They know who the user is, and they won't tell you. They can decide if the user is doing something malicious, or if they've been owned... if they're infected, the ISP can advise them to take care of it.

The attacker could also be scanning from another comprimised machine, and not his own so this will not always catch your attacker.

True CXGJarrod, but buy doing this (reporting the attack to the ISP), you are not breaking any laws, you are stopping (well trying to stop) the attack and you are alerting the ISP to a problem. I still believe this is the course to follow.

If you have his ip you can also send him/her a "net send" message and let them know they are infected. You can also ask them to contact you for more info. If this person has a firewall net send will be blocked but I doubt that because this netbus trojan is out in the open.
May have to repeat this a couple of times and see what happens, if nothing happens you can send a complaint to his/her isp.